Systems and methods for recording and visually recreating sessions in a client-server environment

ABSTRACT

A system and method for auditing network applications captures transmissions during a user session between a client and a server. An auditor capture filter captures and stores each request from the client and each response by the server to each request in an auditor storage. An auditor analyzer may use the captured requests and the captured responses to visually recreate the user session to thereby analyze what transpired during the user session.

RELATED APPLICATION

This application is related to issued U.S. Pat. No. 6,286,098, entitled“System and Method for Encrypting Audit Information in NetworkApplications,” by inventors Robert Wenig and Igor Tsyganskiy. Thisapplication is also related to issued European Patent 1 097 428 B1,entitled “System and Method for Auditing Network Applications,” byinventors Robert Wenig, Igor Tsyganskiy, and Kenneth Landry, filed on 10Jul. 1999.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a system and method for auditingnetwork applications. More particularly, the present invention relatesto a system and method for visually recreating a user session to analyzevarious aspects of the network application.

2. Discussion of the Related Art

In a network application, also referred to as a client/serverapplication, a client requests information from a server. In response toeach request, the server provides information to the client. A typicalserver may be responding to several hundred clients at one time, whilethe client may access several servers intermittently and over a veryshort period of time. As a result of the very dynamic nature of suchapplications, problems associated with the application are difficult toisolate, repeat, and/or diagnose. Furthermore, such problems aredifficult to attribute to either the server or the client.

Another problem associated with network applications, particularly thosedealing in electronic commerce (“e-commerce”), is that the precisebehavior of the purchaser during the transaction is difficult toascertain and even more difficult to evaluate or understand. Forexample, website developers may wish to understand how a particularbuyer using an e-commerce application navigates through the website topurchase an item. Given the nature of conventional network applications,such understanding is difficult to obtain.

Still other problems exists with network applications, some of which arediscussed in further detail below. A need exists for a system and methodfor auditing network applications that solves the problems describedherein.

SUMMARY OF THE INVENTION

Accordingly, the present invention is directed to a system and methodfor auditing network applications. In particular, the present inventioncaptures requests and responses sent between a client and a serverduring a particular user session of a network application. The presentinvention stores the requests and responses in an auditor storage.Subsequently, the present invention retrieves the requests and responsesfrom the auditor storage to visually recreate the user session.

One of the features of the present invention is that an analyst is ableto retrieve a particular user session from the auditor storage and stepthrough a particular user session thereby viewing the user session asthe client viewed the user session. This enables the analyst tounderstand the sequence of events that occurred during a particular usersession exactly as they occurred.

Another feature of the present invention is that the analyst candetermine the exact sequence of events that occurred prior to an erroroccurring in the network application. In addition, the present inventionstores information describing the client/server environment during theuser session so that the analyst may be able to attribute certain errorsto loading or traffic on the server or the communication link.

Another feature of the present invention is that the analyst can viewdata associated with multiple user sessions to analyze how differentclients navigated through a particular website. Such analysis is usefulto determine how particular websites might be improved to achieve aparticular result.

Another feature of the present invention is that OLAP analysis can beused, for example, to provide better response times to clients whoroutinely purchase by shifting them to a faster application server.Furthermore, clients who routinely purchase could also be offered adirect path to a particular location in the website thereby avoiding thepath through the website provided to other clients. In addition, theanalyst can ascertain the value of advertising on the website by viewingthe number of purchases before and after such advertising.

Additional features and advantages of the present invention will be setforth in the description which follows, and in part will be apparentfrom the description, or may be learned by practice of the invention.The objectives and other advantages of the invention will be realizedand attained by the process particularly pointed out in the writtendescription and claims hereof as well as the appended drawings.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory and areintended to provide further explanation of the invention as claimed.

BRIEF DESCRIPTION OF THE ATTACHED DRAWINGS

The accompanying drawings, which are included to provide a furtherunderstanding of the invention and are incorporated in and constitute apart of this specification, illustrate embodiments of the invention thattogether with the description serve to explain the principles of theinvention.

In the drawings:

FIG. 1 illustrates an embodiment of the present invention capturingsession data in a client/server environment;

FIG. 2 illustrates an embodiment of the present invention analyzingcaptured session data in an auditing environment;

FIG. 3 is a flowchart that illustrates the operation of one embodimentof the present invention as it captures session data;

FIG. 4 is a flowchart that illustrates the operation of one embodimentof the present invention as it visually recreates a user session;

FIG. 5 is a flowchart that illustrates the operation of a preferredembodiment of the present invention as it performs the step ofrecreating and visually displaying the dynamically generated screen;

FIG. 6 illustrates an analyzer according to a preferred embodiment ofthe present invention in further detail;

FIG. 7 illustrates an analyze module according to a preferred embodimentof the present invention in further detail;

FIG. 8 is a flowchart that illustrates the step of storing data inauditor storage according to one embodiment of the present invention;

FIG. 9 illustrates a star structure for storing OLAP data for aninternet based environment according to one embodiment of the presentinvention;

FIG. 10 illustrates a star structure for storing OLAP data for an SAPR/3 environment according to one embodiment of the present invention;

FIG. 11 illustrates a viewer table data structure for an internet basedenvironment according to one embodiment of the present invention;

FIG. 12 illustrates a viewer table data structure for an SAP R/3environment according to one embodiment of the present invention; and

FIG. 13 illustrates a dimension buffer data structure according to oneembodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Reference will now be made in detail to the preferred embodiments of thepresent invention, examples of which are illustrated in the accompanyingdrawings.

In a client/server environment 100, such as that illustrated in FIG. 1,a client 110 communicates with a server environment 140 through acommunication link 125. As would be understood, server environment 140may comprise a single network server or several servers acting inconjunction with one another.

A particular set of related communications between client 110 and serverenvironment 140 is referred to as a user session 130. User session 130includes a series of requests 134 made by client 110 to serverenvironment 140, and a series of responses 132 from server environment140 to client 110 in response to requests 134. A particular request 134and its associated response 132 is referred to herein as a hit 135 oralternatively as a request/response pair. During user session 130,client 110 may access server environment 140 in any of several manners,as is known in the art.

Client 110 accesses server environment 140 through a dynamicallygenerated screen 120 which displays information to client 110 fromserver environment 140 for a particular network application. Based onrequests 134 and responses 132, server environment 140 providesinformation to update dynamically generated screen 120. According to oneembodiment of the present invention, dynamically generated screen 120 isgenerated by a work station (not shown) of client 110 based oninformation included in response 132 from server environment 140. In oneembodiment of the present invention, dynamically generated screen 120 isgenerated by the work station based on a response 132 that includes amarkup language such as HTML, XML, SGML, etc., used in variousclient/server environments 100. In an alternate embodiment of thepresent invention, dynamically generated screen 120 is generated by awork station of client 110 based on a response 132 that includesinformation compatible with formats utilized in a dedicated on-lineenvironment such as a SAP R/3 environment.

The following discussion is based on client/server environment 100operating in an Internet or Web-based environment. However, it should beunderstood that the present invention also contemplates a system whereclient 110 is hard-wired directly to server environment 140, such as inthe SAP R/3 environment. It will be apparent to one skilled in the arthow the following discussion applies to such hardwired or “dedicated”systems.

According to the present invention, an auditor capture filter 150monitors communication link 125 to capture communications (i.e.,requests 134 and responses 132) between client 110 and serverenvironment 140. In particular, auditor capture filter 150 capturesrequest 134 from client 110 to server environment 140 and capturesresponse 132 from server environment 140 to client 110. In oneembodiment of the present invention, auditor capture filter 150 capturesrequest 134 from communication link 125 after server environment 140 hasreceived request 134 but before server environment 140 has processedrequest 134. In this embodiment of the present invention, auditorcapture filter 150 captures response 132 after server environment 140has processed request 134 and determined response 132 but prior toserver environment 140 sending response 132. It should be understoodthat the capturing function of a preferred auditor capture filter 150does not interfere with or interrupt communication between client 100and server environment 140.

In the embodiment of the present invention just described, serverenvironment 140 would include the necessary modifications to provideauditor capture filter 150 with access to requests 134 and responses132. In other words, server environment 140 would provide auditorcapture filter 150 with the necessary hooks to the session data as wouldbe apparent. In this embodiment, auditor capture filter 150 capturesrequests 134 and responses 132 with the cooperation and possibly theactive participation of server environment 140.

In an alternate embodiment of the present invention, auditor capturefilter 150 would not require the modifications to server environment 140discussed above. In this alternate embodiment of the present invention,auditor capture filter 150 would capture requests 134 and responses 132directly from communication link 125 and server environment 140 wouldfunction without regard to the presence of auditor capture filter 150.

Auditor capture filter 150 stores captured request 134 and capturedresponse 132 in an auditor storage 160. In a preferred embodiment of thepresent invention, captured request 134 and captured response 132 arestored as a hit 135. Auditor storage 160 includes a storage device suchas a disk drive, a RAM, a database or other such memory device as wouldbe apparent. In some preferred embodiments of the present invention,auditor storage 160 stores all hits 135 in a particular user session 130as stored hits 175 in a stored user session 170. In other words, inthese embodiments of the present invention, the series of capturedrequests 134 and captured responses 132 that comprise a particular usersession 130 are stored collectively as stored user session 170.

In one embodiment of the present invention, user session 130 isconducted over an Internet. As such, after each transmission, (i.e.,after each request 134 from client 110 to server environment 140 andafter each response 132 from server environment 140 to client 10) client110 and server environment 140 are not in active communication (i.e.,they are effectively disconnected). In such an application, a uniquesession identification (also referred herein as a state identification)is used to identify a particular client 110 each time the particularclient 110 accesses server environment 140. The session identificationis sent with each request 134 to uniquely determine the user context.Using the session identification to attribute each request 134 to aparticular client 110, server environment 140 is able to handle client110 over the Internet as if client 110 was continuously connected toserver environment 140.

In a second embodiment of the present invention, client 10 and serverenvironment 140 are continuously connected via dedicated communicationlink 125. In this embodiment of the present invention, a sessionidentification is not necessary for each request 134; rather, thesession identification is implicit in each transmission between client110 and server environment 140 as a result of the dedicatedcommunication link 125.

As discussed above, a series of requests 134 and responses 132 betweenclient 110 and server environment 140 that comprise user session 130 arestored in auditor storage 160 as stored hits 175 in stored user session170. As discussed in reference to FIG. 2, an analyzer 220 enables ananalyst 210 to analyze user session 170. For example, analyst 210 mayevaluate user session 170 to determine how client 10 moves through aparticular network application to achieve a particular result. Suchevaluation is useful, for example, in commercial or e-commerce Internetapplications. In these applications, application developers areinterested in understanding how a client 110 navigates through aparticular application to arrive at a particular result, such as apurchase. As can be appreciated, the present invention permits analyst210 to evaluate the particular application for different clients 110, atdifferent times, etc.

In another example, analyst 210 may evaluate user session 170 to isolateerrors that occurred during user session 130. In this example, analyst210 can recreate the entire user session 130 in an effort to identifyand isolate a problem with a particular network application.

As shown at FIG. 2, analyst 210 uses analyzer 220 to access auditorstorage 160. In particular, analyst 210 is able to access a particularuser session 170 and visually recreate it. In other words, analyst 210is able to step through the particular user session 170 and individuallyevaluate each request 134 and each response 132 as it occurred duringuser session 170. In a preferred embodiment of the present invention,analyzer 220 visually recreates user session 170 by generating thevarious screens 120 that were presented to client 110 by serverenvironment 140 during user session 130. In this manner, analyst 210 isable to view the identical screens 120 that client 110 viewed duringuser session 130. Analyst 210 is also able to evaluate any request madeby client 110 and evaluate any subsequent response 132 of serverenvironment 140. As would be apparent, analyst 210 may evaluate usersession 130 off-line, that is, after user session 170 is complete, or innear real-time, that is, while user session 170 is occurring. In thislatter embodiment, analyzer 220 may retrieve hits 175 from auditorstorage 160 or directly from auditor capture filter 150 (thereby bypassing auditor storage 160).

Having thus described the components of the present invention, theoperation of the present invention is now discussed. FIG. 3 is aflowchart that illustrates an operation 300 of auditor capture filter150 as it captures requests 134 and responses 132 during user session130 according to one embodiment of the present invention. In a step 310,server environment 140 receives a request 134 from client 110. In a step320, auditor capture filter 150 captures request 134. In one embodimentof the present invention, auditor capture filter 150 captures request134 at server environment 140. Specifically, in this embodiment, auditorcapture filter 150 captures request 134 from server environment 140after server environment 140 receives request 134 but prior to serverenvironment 140 processing request 134. In an alternate embodiment ofthe present invention, server environment 140 may pass request 134 toauditor capture filter 150 as would be apparent. Of course, othermechanisms exist that permit auditor capture filter 150 to gain accessto request 134 as would be apparent. In any case, the capture of request134 does not interfere with or interrupt communication between client110 and server environment 140.

In an alternate embodiment of the present invention, auditor capturefilter 150 captures request 134 directly from communication fink 125without cooperation from or participation with server environment 140.

In a preferred embodiment of the present invention, capturing request134 includes capturing or determining particular environmental data (notshown) associated with client 110 and server environment 140 at or aboutthe time request 134 was sent or captured. This environmental dataincludes parameters such as loading, traffic volume, status, or othersuch information available on communication link 125 and well known inclient/server environment 100. As will be discussed below, theenvironmental data permits analyzer 220 to evaluate the effect ofclient/server environment 100 on a particular user session 170.

In a step 330, server environment 140 determines a response 132 torequest 134 from client 110. In a step 340, server environment 140 sendsresponse 132 to client 110. In a step 350, according to one embodimentof the present invention, auditor capture filter 150 captures response132 from server environment 140 to client 110. In an alternateembodiment, server environment 140 may pass response 132 to auditorcapture filter 150 as would be apparent. In yet another alternateembodiment of the present invention, auditor capture filter 150 capturesresponse 132 directly from communication link 125. Furthermore, asdiscussed above with respect to capturing request 134, in a preferredembodiment of the present invention, capturing response 132 includescapturing environmental data associated with response 132.

Finally, in a step 360, auditor capture filter 150 stores capturedrequest 134 and captured response 132 as a hit 175 in auditor storage160. In particular, each hit 175 (or alternately, each request/responsepair) is stored in auditor storage 160 together with other hitsassociated with a particular user session 170.

In an alternate embodiment of the present invention, auditor capturefilter 150 stores captured request 134 in auditor storage 160 as soon asit is captured rather than waiting for an associated captured response132. In other words, captured request 134 and captured response 132 arestored as they are captured.

According to one embodiment of the present invention, auditor capturefilter 150 captures or receives requests 134 and/or responses 132 fromserver environment 140. In fact, in actual implementation, auditorcapture filter 150 may reside on and operate in conjunction with serverenvironment 140. With this implementation and according to the presentinvention, software, hardware, or a combination of software and hardwareassociated with auditor capture filter 150 is not required at client 110nor does client 110 require any modifications to the hardware orsoftware residing therein.

In an alternate embodiment of the present invention, auditor capturefilter 150 captures requests 134 and responses 132 directly fromcommunication link. In this embodiment of the present invention,software, hardware, or a combination of software and hardware associatedwith auditor capture filter 150 is not required at either client 110 orserver environment 140.

FIG. 4 is a flowchart that illustrates the operation 400 of analyzer 220as it facilities the analysis of a user session 170 according to oneembodiment of the present invention. In a step 410, analyzer 220 locatesa particular user session 170 in auditor storage 160. In an alternateembodiment that bypasses auditor storage 160, analyzer 220 specifies toauditor capture filter 150 a particular user session 170 that analyzer220 wishes to analyze.

User session 170 may be located by any number of mechanisms as would beapparent. Such mechanisms may permit analyzer to access auditor storage160 according to the date and/or session number which correspond to aparticular user session 170 sought. However, such date and sessionnumber may not always be known. Hence, analyzer 220 may include othermechanisms for locating user session 170 such as searching auditorstorage 160 using key words, identifiers, etc., or any other manner ofsearching auditor storage 160 as would be apparent to one skilled in theart.

After a particular user session 170 has been located, in a step 420,analyzer 220 retrieves request 134 from auditor storage 160. Likewise,in a step 430, analyzer 220 retrieves response 132 corresponding torequest 134 from auditor storage 160. As discussed above, in analternate embodiment of the present invention, analyzer 220 may retrieverequest 134 and response 132 directly from auditor capture filter 150.

In a preferred embodiment of the present invention, when analyzer 220retrieves request 134 and response 132, analyzer 220 also retrievesassociated environmental data that may have been stored with eachrequest 134 and response 132 as discussed above.

In a step 440, analyzer 220 uses the retrieved request and the retrievedresponse, and in the preferred embodiment, the retrieved environmentaldata associated with each, to recreate and display the dynamicallygenerated screen 120. In this manner, analyzer 220 is able to present toanalyst 210 a dynamically generated screen 120 that is the same as thatviewed by client 110 during user session 130.

FIG. 5 illustrates the operation of a preferred embodiment of step 440in further detail. In a step 510, analyzer 220 analyzes theenvironmental data and other factors associated with retrieved request134 and retrieved response 132. In a step 520, analyzer 220 generates ascreen based on retrieved request 134 and retrieved response 132 therebyrecreating dynamically generated screen 120. In a step 530, analyzer 220displays the analyzed environmental data and the generated screen toanalyst 210. This permits analyst 210 to view the recreated screen inthe context of the environmental factors that may have effected theparticular user session 170. In a preferred embodiment of the presentinvention, in a step 540, the recreated screen is updated to reflectdata entered by user 110. This data is obtained from a subsequentrequest 132 from client 110 to server environment 140 in the particularuser session 170.

Analyzer 220 is now discussed in further detail in reference to FIG. 6.Analyzer 220 includes a analyze module 620, an analyzer database 630,and an import module 640. Import module 640 extracts meaningfulinformation out of the raw data of user session 170 stored in auditorstorage 160 for use by analyst 210. In a preferred embodiment of thepresent invention, import module 640 extracts information from hits 175in user session 170 from auditor storage 160 and stores it in analyzerdatabase 630 in a particular format unique to analyzer database 630. Forexample, for one application, import module 640 extracts informationfrom hits 175 captured in an Internet environment, while for anotherapplication, import module 640 extracts information from hits 175captured in an SAP R/3 environment. By doing so, import module 640 canextract session data associated with a variety of clients 110 and serverenvironments 140 and combine it into one centralized, uniform database,such as analyzer database 630. Thus, subsequent analysis tools (such asanalyze module 620) can analyze session data regardless of the format ofcaptured hits 175. Furthermore, using the common format of analyzerdatabase 630, the subsequent analysis tools can meaningfully comparesession data obtained from different clients 110, server environments140, applications, etc.

In a preferred embodiment of the present invention, data stored inanalyzer database 630 includes pertinent data from request 132 andresponse 134, and the associated environmental data. This data includesinformation associated with and derived from client 110 and serverenvironment 140 as well as the communication protocols used, and otherrelevant information that would be apparent to those familiar withvarious network protocols.

In a preferred embodiment of the present invention, analyzer database630 includes two sets of tables for each application in client/serverenvironment 100. The first tables are referred to as OLAP (“On-lineAnalysis Program”) analysis tables. The OLAP analysis tables aredesigned and optimized for preliminary OLAP analysis. In a preferredembodiment of the present invention, the OLAP analysis tables have astar-scheme structure and are fully indexed. FIG. 9 illustrates apreferred embodiment for a star structure for hits captured in anInternet or Web-based environment, while FIG. 10 illustrates a preferredembodiment for a star structure for hits captured in an SAP R/3environment.

The second tables in database 1130 are referred to as sessionviewer/analysis tables. Session viewer/analysis tables are designed andoptimized for visually recreating user session 130 and for doingsession-specific analysis. Session viewer analysis tables include all ofthe hit information as well as information about the creation ofavailable sessions and information extracted from the sessionidentification. FIG. 11 illustrates a preferred embodiment for a viewertable for hits captured in the Internet or Web-based environment, whileFIG. 12 illustrates a preferred embodiment for a viewer table for hitscaptured in an SAP R/3 environment.

FIG. 13 illustrates a dimension buffer data structure according to oneembodiment of the present invention. The dimension buffer data structureis useful for speeding OLAP analysis as would be apparent.

In one embodiment of the present invention, import module 640 alsostores information from auditor storage 160 into an archive (not shown).The archive is preferably a more permanent storage device. Theinformation stored in the archive may be the raw data as it is stored inauditor storage 160, or it may be data from auditor storage 160 that isstripped of extraneous information not associated with the function oroperation of analyzer 220. In either case, the information stored inarchive is indexed according to the session identification numberassociated with each user session 130. Because each sessionidentification is unique and non-reputable, the archive can store usersessions 170 from a variety of sources and a variety of applicationswithout a risk of conflict resulting in the loss of data.

Analyze module 620 is now described in further detail with reference toFIG. 7. Analyze module 620 includes a global analysis module 710 and aviewer module 720. Viewer module 720 includes a specific analysis module730, an intelligent parser 740, and a viewer component 750.

Global analysis module 710 allows analyst 210 to dynamically analyzeuser sessions 170 stored in analyzer database 720 from various clients110, server environments 140, and various applications running inclient/server environment 100. For example, global analysis module 710permits analyst 210 to analyze user sessions 170 for all clients 110that accessed a particular site in server environment 140. In anotherexample, global analysis module 710 permits analyst 210 to analyze usersessions 170 for a particular client 110 that accessed multiple sites indifferent server environments 140. In yet another example, globalanalysis module 710 permits analyst 210 to analyze all user sessions 170that resulted in a purchase of goods on a particular day for all clients110 and all server environments 140. These are merely examples of howglobal analysis module 710 might access analyzer database 720 and arelimited only by the information available in analyzer database 720itself.

Viewer module 720 is responsible for visually recreating a particularuser session 130, for performing session level analysis, and forpresenting it to analyst 210. As mentioned above, viewer module 720includes specific analysis component 730, intelligent parser module 740,and viewer component 750. Specific analysis component 730 is responsiblefor constantly providing statistical information associated with aparticular dynamically generated screen 120 and the environmental dataassociated with that screen at the lime it was generated and/ordisplayed to client 110. In a preferred embodiment of the presentinvention, specific analysis component 730 also calculates congestion inclient/server environment 100 on server environment 140 or oncommunication link 125 at the time the screen 120 was provided to client110 by server environment 140.

Viewer component 750 is responsible for physically displaying usersession 170. In particular, viewer component 750 provides analyst 210with means to move through user session 170 as well as to displaystatistics provided by specific analysis component 720. In a preferredembodiment of the present invention, for each particular client/serverapplication, a separate viewer component 750 exists. For HTML and XML,viewer component 750 is comprised of a web browser. For SAP R/3, viewercomponent 750 is comprised of a modified version of a front end used bySAP R/3. For other application, viewer component 750 comprises anappropriate .viewing program as would be apparent. In other words, aspecific viewer component 750 is used depending on the particularclient/server application.

Intelligent parser component 740 scans analyzer database 630 todetermine if it includes HTML. If so, intelligent parser component 740will determine if the HTML has any fields in it to allow intelligentparser component 740 to securely change the value of the fields upon asubsequent user request 134. In this manner, analyst 210 is able to viewdata entered by client 110 on the dynamically generated screen 120 as itoccurred during user session 130. In a preferred embodiment of thepresent invention, intelligent parser component 740 does not implementthis functionality for password fields for security reasons, as would beapparent.

As thus described, the present invention stores all requests 134 andresponses 132 that occur between client 110 and server environment 140.However, this approach is not required and furthermore may not bedesired, in all client/server environments 100. In alternate embodimentsof the present invention, auditor capture filter 150 may only storerequests 134 and responses 132 into auditor storage 160 when asignificant event occurs. For example, in one embodiment of the presentinvention, requests 134 and responses 132 are stored in auditor storage160 only if a purchase was completed. In this example, the purchase is asignificant event. In another embodiment of the present invention,significant events may be further broken down. For example, one set ofsession data is stored for clients 110 that purchase $10 million or moreworth of goods, while another set of session data is stored for clients110 that purchase less than $10 million worth of goods. This embodimentof the present invention eliminates much of the data from auditorstorage 160 associated with “surfing” or “browsing” or otherinsignificant events that might otherwise be stored. However, as wouldbe apparent, in other embodiments of the present invention, such“surfing” or “browsing” data may be useful to determine usage patterns(i.e. shopping patterns) and should be stored in auditor storage 160.The specific significant events that trigger the storage of session datain auditor storage 160 can vary from application to application, aswould be apparent.

In the embodiments of the present invention that use such significantevents as a criteria for storing session data, requests 134 andresponses 132 are preferably stored in a temporary memory until theparticular significant event occurs. Once the significant event occurs,requests 134 and responses 132 would be transferred from the temporarymemory into auditor storage 160. This process of transferring requests134 and responses 132 from temporary memory into auditor storage 160 isreferred to as “committing” requests 134 and responses 132 to auditorstorage 160. Other mechanisms for committing the session data (i.e.,requests 134 and responses 132) to auditor storage 160 are available aswould be apparent. For example, session data could be stored in auditor160 prior to the significant event and would be marked or otherwiseindicated as being temporary or uncommitted. Once the significant eventoccurs, this data would be marked as committed. If the significant eventdoes not occur, this data would be subsequently deleted or erased.

With this in mind, the operation of storing step 360 according to thisembodiment of the present invention is now described with reference toFIG. 19. In a step 810, auditor capture filter 150 stores arequest/response pair in a temporary database or other temporary memory.In a decision step 820, auditor capture filter 150 determines whether asignificant event occurred. If the significant event occurred, in a step830, auditor capture filter 150 commits the request/response pairsstored in the temporary database or temporary memory to auditor storage160. At some point, if the temporary database or temporary memory wasnot committed, auditor capture filter 150 would delete such temporarydatabase or temporary memory.

While the invention has been described in detail and with reference tospecific embodiments thereof, it will be apparent to one skilled in theart that various changes and modifications can be made therein withoutdeparting from the spirit and scope thereof. Thus, it is intended thatthe present invention cover the modifications and variations of thisinvention provided they come within the scope of the appended claims andtheir equivalents.

1. A method executing on a hardware computer system for visuallyrecreating a user session in a computer environment including a clientand a server, the method comprising the steps of: receiving a requestfrom the client at the server; capturing at the server the request andfirst environmental data associated with the computer environment;determining, by the server, a response to the request; sending theresponse from the server to the client; capturing at the server theresponse to the request and second environmental data associated withthe computer environment; and visually recreating at the server the usersession based on the captured request and the captured response.
 2. Themethod of claim 1, wherein the first environmental data is captured ator about when the request is captured.
 3. The method of claim 2, whereinthe second environmental data is captured at or about when the responseis captured.
 4. The method of claim 3, further comprising: retrievingthe request; retrieving the response; displaying the retrieved requestand response on a dynamically generated screen based on the first andsecond environmental data.
 5. The method of claim 4, further comprising:analyzing the first and second environmental data; and displaying theanalyzed environmental data.
 6. The method of claim 3, wherein thesecond environmental data includes information on load, traffic volume,status, and other system data.
 7. The method of claim 2, wherein thefirst environmental data includes information on load, traffic volume,status, and other system data.
 8. The method of claim 1, whereincapturing the request comprises receiving session identificationinformation associated with the client.
 9. The method of claim 1,wherein visually recreating the user session comprises: locating theuser session; retrieving the request; retrieving the response; anddisplaying the retrieved request and response on a dynamically generatedscreen.
 10. A hardware system for visually recreating a user session,which includes a request and a response to the request, in a computerenvironment including a client and a server comprising: a communicationlink between the client and the server, a memory, an auditor capturefilter capable of capturing the request and a first environmental dataassociated with the computer environment and storing the request and thefirst environmental data in the memory; capturing the response to therequest environment and storing the request and the a secondenvironmental data in the memory environment ; and a display forvisually recreating the user session based on the captured request andthe captured response.
 11. The system of claim 10, wherein the auditorcapture filter is further able to capture the first environmental dataat or about when the request is captured.
 12. The system of claim 11,wherein the auditor capture filter is further able to capture the secondenvironmental data at or about when the response is captured.
 13. Thesystem of claim 10, wherein the auditor capture filter is further ableto receive session identification information associated with theclient.
 14. The system of claim 10, further comprising: a processor foranalyzing the first and second environmental data; and wherein thedisplay is further able to display the analyzed environmental data. 15.The system of claim 10, wherein the auditor capture filter is capable ofstoring the response to the request.
 16. The system of claim 15, whereinthe first environmental data includes a loading parameter.
 17. Thesystem of claim 15, wherein the second environmental data includes aloading parameter.
 18. The system of claim 15, wherein the firstenvironmental data includes a traffic volume parameter.
 19. The systemof claim 15, wherein the second environmental data includes a trafficvolume parameter.
 20. The system of claim 15, wherein the firstenvironmental data includes a status parameter.
 21. The system of claim15, wherein the second environmental data includes a status parameter.22. The system of claim 15, wherein the first environmental dataincludes data available on the communication link.
 23. The system ofclaim 15, wherein the second environmental data includes data availableon the communication link.
 24. The system of claim 15, wherein the firstenvironmental data includes data known by the client.
 25. The system ofclaim 15, wherein the second environmental data includes data known bythe client.
 26. The system of claim 15, wherein the first environmentaldata includes data known by the server.
 27. The system of claim 15,wherein the second environmental data includes data known by the server.28. The system of claim 15, wherein the first environmental dataincludes data that identifies a date.
 29. The system of claim 15,wherein the second environmental data includes data that identifies adate.
 30. The system of claim 15, wherein the first environmental dataincludes data that is derived from the client.
 31. The system of claim15, wherein the second environmental data includes data that is derivedfrom the client.
 32. The system of claim 15, wherein the firstenvironmental data includes data that is derived from the server. 33.The system of claim 15, wherein the second environmental data includesdata that is derived from the server.
 34. The system of claim 15,wherein the first environmental data includes data that identifies acommunication protocol.
 35. The system of claim 15, wherein the secondenvironmental data includes data that identifies a communicationprotocol.
 36. The system of claim 15, wherein the first environmentaldata includes data that indicates if an error occurred.
 37. The systemof claim 15, wherein the second environmental data includes data thatindicates if an error occurred.
 38. The system of claim 15, wherein thefirst environmental data includes data that indicates if a problemoccurred.
 39. The system of claim 15, wherein the second environmentaldata includes data that indicates if a problem occurred.
 40. The systemof claim 15, wherein the first environmental data includes data thatindicates if a purchase occurred.
 41. The system of claim 15, whereinthe second environmental data includes data that indicates if a purchaseoccurred.
 42. The system of claim 15, wherein the first environmentaldata includes data that indicates if a purchase over a predeterminedvalue occurred.
 43. The system of claim 15, wherein the secondenvironmental data includes data that indicates if a purchase over apredetermined value occurred.
 44. The system of claim 15, wherein thefirst environmental data includes data related to congestion in thecomputer environment.
 45. The system of claim 15, wherein the secondenvironmental data includes data related to congestion in the computerenvironment.
 46. The system of claim 15, wherein the first environmentaldata includes data related to congestion in the communication link. 47.The system of claim 15, wherein the second environmental data includesdata related to congestion in the communication link.
 48. The system ofclaim 15, wherein the request includes a markup language statement. 49.The system of claim 15, wherein the request includes an HTML tag. 50.The system of claim 15, wherein the request includes an XML tag.
 51. Thesystem of claim 15, wherein the request includes an SGML tag.
 52. Thesystem of claim 15, wherein the request includes information utilized byan SAP R/3 computer environment.
 53. The system of claim 15, wherein theauditor capture filter is capable of monitoring the communication linkto capture the request and the response.
 54. The system of claim 15,wherein the auditor capture filter is capable of capturing the requestafter the server has received the request but before the server hasprocessed the request.
 55. The system of claim 15, wherein the auditorcapture filter is capable of capturing the response to the request afterthe server has processed the request and determined the response to therequest but before the server outputs the response to the request. 56.The system of claim 15, wherein the server provides the auditor capturefilter with access to the request.
 57. The system of claim 15, whereinthe server provides the auditor capture filter with hooks to sessiondata.
 58. The system of claim 15, wherein the auditor capture filter iscapable of capturing the request with active participation of theserver.
 59. The system of claim 15, wherein the auditor capture filteris capable of capturing the request directly from the communicationlink.
 60. The system of claim 15, wherein the server passes the requestto the auditor capture filter.
 61. The system of claim 15, wherein theauditor capture filter captures the request directly from thecommunication link without cooperation from or participation by theserver.
 62. The system of claim 15, wherein the auditor capture filteris capable of storing the request on a disk drive.
 63. The system ofclaim 15, wherein the auditor capture filter is capable of storing therequest in RAM.
 64. The system of claim 15, wherein the auditor capturefilter is capable of storing the request in a database.
 65. The systemof claim 15, wherein the auditor capture filter is capable of storing aseries of requests and responses that comprise the user session.
 66. Thesystem of claim 15, wherein the auditor capture filter is capable ofstoring a series of requests and responses.
 67. The system of claim 15,wherein the system is capable of storing a plurality of user sessionsand the system is capable of locating a user session from the pluralityof stored user sessions.
 68. The system of claim 15, wherein the systemis capable of storing a plurality of user sessions and the system iscapable of searching for a user session from the plurality of storeduser sessions based upon a search parameter.
 69. The system of claim 15,wherein the system is capable of storing a plurality of user sessionsand the system is capable of searching for a user session from theplurality of stored user sessions based upon a date.
 70. The system ofclaim 15, wherein the system is capable of storing a plurality of usersessions and the system is capable of searching a user session from theplurality of stored user sessions based upon a session number.
 71. Thesystem of claim 15, wherein the system is capable of storing a pluralityof user sessions and the system is capable of searching for a usersession from the plurality of stored user sessions based upon a keyword.72. The system of claim 15, wherein the system is capable of storing aplurality of user sessions and the system is capable of searching for auser session from the plurality of stored user sessions based upon anidentifier.
 73. The system of claim 15, wherein the system is configuredto extract data from the response and store the extracted data in adatabase.
 74. The system of claim 15, wherein the system is configuredto extract data from a plurality of clients and store the data in adatabase.
 75. The system of claim 15, wherein the system is capable ofstoring the request into a data structure that is indexed according tosession identification numbers.
 76. The system of claim 15, wherein theauditor capture filter is capable of committing the request in anauditor storage only if a specified event occurs.
 77. The system ofclaim 15, wherein the auditor capture filter is capable of committingthe request in an auditor storage only if a purchase occurs.
 78. Thesystem of claim 15, wherein the auditor capture filter is capable ofcommitting the request in an auditor storage only if a purchase over apredetermined value occurs.
 79. The system of claim 15, wherein theauditor capture filter is capable of storing the request in the memoryregardless of whether a specified event occurs and the auditor capturefilter is capable of storing the request in a second memory only if thespecified event occurs.
 80. The system of claim 15, wherein thecommunication link is a part of the Internet.
 81. The system of claim15, wherein the client is identified to the server with a sessionidentification identifier.
 82. The system of claim 15, wherein therequest includes a session identification identifier.
 83. The system ofclaim 15, wherein session identification data is implicit, but notexpress, in the request.
 84. The system of claim 15, wherein the systemis configured to allow an analyst to determine how the client movesthrough a network application.
 85. The system of claim 15, wherein thesystem is configured to display how the client moves through a networkapplication.
 86. The system of claim 15, wherein the system isconfigured to allow an analyst to determine how the client moves throughan e-commerce Internet application.
 87. The system of claim 15, whereinthe system is configured to display how the client moves through ane-commerce Internet application.
 88. The system of claim 15, wherein thesystem is configured to allow an analyst to determine how the clientmoves through an e-commerce network application.
 89. The system of claim15, wherein the system is configured to display how the client movesthrough an e-commerce network application.
 90. The system of claim 15,wherein the system is configured to allow an analyst to determine howthe client moves through a network application in order to make apurchase.
 91. The system of claim 15, wherein the system is configuredto display how the client moves through a network application in orderto make a purchase.
 92. The system of claim 15, wherein the system isconfigured to allow an analyst to isolate an error.
 93. The system ofclaim 15, wherein the system is configured to allow an analyst torecreate the user session in an effort to identify a problem with anetwork application.
 94. The system of claim 15, wherein the system isconfigured to allow an analyst to step through a plurality of requestsand responses in the time sequence that the requests and responsesoccurred.
 95. The system of claim 15, wherein the system is configuredto generate a plurality of screens that were displayed during the usersession.
 96. The system of claim 15, wherein the system is configured toallow an analyst to evaluate any request made by the client and toevaluate any response to any request.
 97. The system of claim 15,wherein the system is configured to allow an analyst to evaluate therequest after the user session is complete.
 98. The system of claim 15,wherein the system is configured to allow an analyst to evaluate therequest while the user session is occurring.
 99. The system of claim 15,wherein the system includes an analyzer that retrieves a plurality ofrequests from an auditor storage.
 100. The system of claim 15, whereinthe system includes an analyzer that retrieves a plurality of requestsfrom the auditor capture filter.
 101. The system of claim 15, whereinthe system is configured to perform an analysis based at least in partupon either the first environmental data or the second environmentaldata.
 102. The system of claim 15, wherein the system is capable ofvisually recreating a user session based at least in part upon dataentered by a user.
 103. The system of claim 15, wherein the system isconfigured to compare data obtained from different clients.
 104. Thesystem of claim 15, wherein the system is configured to compare dataobtained from different servers.
 105. The system of claim 15, whereinthe system is configured to compare data obtained from different networkapplications.
 106. The system of claim 15, wherein the system isconfigured to perform a session-specific analysis.
 107. The system ofclaim 15, wherein the system is capable of allowing an analyst todynamically analyze a plurality of user sessions from a plurality ofclients.
 108. The system of claim 15, wherein the system is capable ofdisplaying a plurality of user sessions from a plurality of clients.109. The system of claim 15, wherein the system is capable of allowingan analyst to dynamically analyze a plurality of user sessions from aplurality of servers.
 110. The system of claim 15, wherein the system iscapable of displaying a plurality of user sessions from a plurality ofservers.
 111. The system of claim 15, wherein the system is capable ofallowing an analyst to dynamically analyze user sessions from allclients that accessed a particular Web site.
 112. The system of claim15, wherein the system is capable of allowing an analyst to dynamicallyanalyze user sessions from all clients that accessed a particular Website during a specific time period.
 113. The system of claim 15, whereinthe system is capable of displaying user sessions from all clients thataccessed a particular Web site during a specific time period.
 114. Thesystem of claim 15, wherein the system is capable of allowing an analystto analyze user sessions for a client that accessed multiple Web siteshosted on different servers.
 115. The system of claim 15, wherein thesystem is capable of displaying user sessions for a client that accessedmultiple Web sites hosted on different servers.
 116. The system of claim15, wherein the system is capable of allowing an analyst to analyze alluser sessions that resulted in a purchase of goods.
 117. The system ofclaim 15, wherein the system is capable of displaying all user sessionsthat resulted in a purchase of goods.
 118. The system of claim 15,wherein the system is capable of allowing an analyst to analyze all usersessions that resulted in a purchase of goods during a specific timeinterval.
 119. The system of claim 15, wherein the system is capable ofdisplaying all user sessions that resulted in a purchase of goods duringa specific time interval.
 120. The system of claim 15, wherein thesystem includes a database that contains data that indicates whether auser session resulted in a purchase of goods.
 121. The system of claim15, wherein the system is capable of calculating congestion in thecomputer environment.
 122. The system of claim 15, wherein the system iscapable of calculating congestion in the communication link.
 123. Thesystem of claim 15, wherein the system is capable of displayingcongestion in the computer environment.
 124. The system of claim 15,wherein the system is capable of displaying congestion in thecommunication link.
 125. The system of claim 15, wherein the system iscapable of scanning a database to determine if the database includes afield that could be changed by a request from the client.
 126. Thesystem of claim 15, wherein the system is capable of displaying dataentered by a user of the client.
 127. The system of claim 15, whereinthe system is capable of displaying data entered by a user of the clientin the same sequence that the data was entered by the user during a usersession.
 128. The system of claim 15, wherein the system is capable ofdisplaying some but not all data entered by a user of the client. 129.The system of claim 15, wherein the system is capable of displaying alldata entered by a user of the client except user-entered passwords. 130.The system of claim 15, wherein the auditor capture filter is capable ofmonitoring the communication link to capture the request and theresponse, the auditor capture filter is capable of storing the responseto the request on a disk drive only if a specified event occurs, thefirst environmental variable is a loading parameter, and the requestincludes an HTML tag.